Error Code

Error Text

Description

The issuer certificate of a looked up certificate could not be found. This normally means the list of trusted certificates is not complete.

3

Unable to get certificate CRL

The CRL of a certificate could not be found.

4

Unable to decrypt certificate’s signature

The certificate signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value, this is only meaningful for RSA keys.

5

Unable to decrypt CRL’s signature

The CRL signature could not be decrypted. This means that the actual signature value could not be determined rather than it not matching the expected value. Unused.

6

Unable to decode issuer public key

The public key in the certificate SubjectPublicKeyInfo could not be read.

7

Certificate signature failure

The signature of the certificate is invalid.

8

CRL signature failure

The signature of the certificate is invalid.

9

Certificate is not yet valid

The certificate is not yet valid. the notBefore date is after the current time.

10

Certificate has expired

The certificate has expired. that is the notAfter date is before the current time.

11

CRL is not yet valid

The CRL is not yet valid.

12

CRL has expired

The CRL has expired.

13

Format error in certificate’s notBefore field

The certificate notBefore field contains an invalid time.

14

Format error in certificate’s notAfter field

The certificate notAfter field contains an invalid time.

15

Format error in CRL’s lastUpdate field

The CRL lastUpdate field contains an invalid time.

16

Format error in CRL’s nextUpdate field

The CRL nextUpdate field contains an invalid time.

17

Out of memory

An error occurred trying to allocate memory. This should never happen.

18

Self signed certificate

The passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.

19

Self signed certificate in certificate chain

The certificate chain could be built up using the untrusted certificates but the root could not be found locally.

20

Unable to get local issuer certificate

The issuer certificate could not be found. this occurs if the issuer certificate of an untrusted certificate cannot be found.

21

Unable to verify the first certificate

No signatures could be verified because the chain contains only one certificate and it is not self signed.

22

Certificate chain too long

The certificate chain length is greater than the supplied maximum depth. Unused.

23

Certificate revoked

The certificate has been revoked.

24

Invalid CA certificate

A CA certificate is invalid. Either it is not a CA or its extensions are not consistent with the supplied purpose.

25

Path length constraint exceeded

The basicConstraints pathlength parameter has been exceeded.

26

Unsupported certificate purpose

The supplied certificate cannot be used for the specified purpose.

27

Certificate not trusted

The root CA is not marked as trusted for the specified purpose.

28

Certificate rejected

The root CA is marked to reject the specified purpose.

29

Subject issuer mismatch

The current candidate issuer certificate was rejected because its subject name did not match the issuer name of the current certificate. Only displayed when the -issuer_checks option is set.

30

Authority and subject key identifier mismatch

The current candidate issuer certificate was rejected because its subject key identifier was present and did not match the authority key identifier current certificate. Only displayed when the -issuer_checks option is set.

31

Authority and issuer serial number mismatch

The current candidate issuer certificate was rejected because its issuer name and serial number was present and did not match the authority key identifier of the current certificate. Only displayed when the -issuer_checks option is set.

32

Key usage does not include certificate signing

The current candidate issuer certificate was rejected because its keyUsage extension does not permit certificate signing.

Well, I haven’t written anything in a while so I figured I’d put this into WP. I recently upgraded a couple of my iOS devices to 8.4 and sure enough, I couldn’t send emails. Come to find out, my services at home were using weaker DH encryption and I needed to fix them if I wanted to send email ever again from my iPhone.

First I worked on sendmail. I needed to first create a DH 2048 bit file using openssl:

openssl dhparam -out dh_2048.pem -2 2048

This produced a file in my /etc/pki/tls/certs folder which I can now configure sendmail.mc to use via adding this line:

define(`confDH_PARAMETERS', `/etc/pki/tls/certs/dh_2048.pem')

Next you can do a ‘make -C /etc/mail’ or simply restart sendmail as it will detect the changes and do it for you (did for me at least.) Email was now working as expected and I’m no longer seeing this in my /var/log/maillog folder:

Now to take a look at Apache. I’m using an older version, I think 2.2.3-91 w/ CentOS so there’s only so much I can do regarding MITM attacks apparently. But I can explicitly tell Apache to NOT use weaker encryption protocols even though I can’t use the SSLOpenSSLConfCmd DHParameters “{path to dhparams.pem}” option and specify my DH key.

It appears I was incorrect! When you modify your server.xml file, you may or may not need to add SSLEnabled=”true” to your SSL connector piece. And neither of the Tomcat servers I’ve seen modified to support SSL ever required keyAlias=”server” for what it’s worth.

It looks like this has been out for some time but this is the first time I’ve encountered a server configured for it. Essentially, the network engineers removed all of the trusted CAs from the “Trusted Root Certification Authorities” tab except for ones they needed and DoDI 8520.2 ECA vendors. Why was this a problem you ask? Well, the developer who was administrating the server needed to connect to our webserver from the remote server in the datacenter to retrieve files to update the server. Our SSL certificate was from a non ECA vendor hence the company certificate wasn’t trusted. Clearly this isn’t just for client side certs (or at least that’s how the datacenter folks interpreted it!)

So a couple of months ago I had to stand up a DOORS Web Access server for work. It was pretty straight forward except for the creation of a certificate in your Java Keystore and then using it inside of your Tomcat server’s server.xml file.

To create the Java Keystore file you’ll first need to have downloaded Jetty which will do the command-line magic for you. I downloaded it from the codehaus.org website but you can find it by doing a Google for Jetty keytool. Once downloaded ensure your Java environment is setup correctly by issuing via command-line java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import . It should return back w/ usage information letting you know your Java environment is setup for command-line Java execution. Next, put your PFX file in the same directory where you are via command-line and then issue java -classpath lib/jetty-6.1.1.jar org.mortbay.jetty.security.PKCS12Import <mycert>.pfx <myjavakeystorefile>.jks. You’ll be prompted for the password that allows you to use the PFX file, then you’ll be asked for a password for your JKS file. Once it’s done, you’ll have your Java Keystore and password.

Now, you need to open up your server.xml file and find the SSL part which needs to be modified to point to your Java Keystore file. When I found my server.xml file the https port was changed to 8443 which from what I hear is pretty common. I simply changed mine back to 443 so I wouldn’t have to do any firewall redirection. Now, I simply had to add SSLEnabled="true" keyAlias="server" keystoreFile="C:\path\to\keystore\file\mykeystorefile.jks" keypass="supersecretpasswordwhichI'mnotstupidenoughtoblogabout" . Once I had those attributes correctly set I simply stopped and restarted the Tomcat server.

This is the second part of my FTPES, vsftpd & CentOS article. In the first part I walked you thru how I built a certificate, sent the CSR off to my CA and finally, modified the vsftpd.conf file. In this part I’ll show you how to test the service via command-line so you can actually see the certificate and how to punch a hole thru your FW because the data part of your FTP session is now encrypted.

First, let’s talk about verifying the configuration. One of the obvious things you can do is open up a command prompt session and attempt to log into your ftp server. Once connected, does it accept an anonymous connection? Was that what you wanted? Also, was the plain jane ftp command allowing you to log in or did you get a 331 error, “Non-anonymous sessions must use encryption.” If you’ve configured it correctly it shouldn’t allow you to login at all. So how do you test it using encryption? By using openssl w/ s_client of course! Use…

openssl s_client -starttls ftp -connect yourserver.example.com:21

This will allow you to not only log into your server using encryption via command-line but also verify that you’ve got the proper certificate & certificate chain installed. I personally tried connecting w/ out the starttls option but wasn’t successful (instead I get a “SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol” error message. I beleive this is because I’m using vsftpd in explicit mode not impicit mode.) The openssl s_client command can also be used for a number of other encrypted services for debugging certificates which is extremely helpful!

So you’ve verified that FTPES does work on the local LAN but doesn’t seem to work thru your FW. This is where passive ftp comes into play because your FTP traffic is now encrypted and your FW can’t do an inspection to determine which port is going to be used next and open it up for you ahead of time. Most FWs come with some sort of FTP inspect feature but we just killed it because that data is totally encrypted now and it’s unable to sniff the FTP traffic and sense which port needs to be opened. You won’t have to turn on passive FTP because it’s on by default with vsftpd. You should specify the port range and I also turned on pasv_address too:

Once done, this will force your vsftpd server to use a port range of 63000 to 65535 for data connections. Alot of the commands I used above can be found w/in the man page for vsftpd.conf (along with their default values!)

Now you just need to open up that same range on your FW device (NOTE: Each FW is going to be different!) On my Cisco Adaptive Security appliance (ASA) I’m defining an object-group first for the port range like such:

Just be sure to use your public IP address for ‘YOUR_PUBLIC_IP’ in the above ACE. Now when it comes to ACL rules there’s tons of different ways to allow traffic so I won’t go into much more detail here other than how I punched a hole thru my FW to allow the encrypted vsftpd data channel traffic through.

That’s about it folks. Remember, if you’re having problems with your configuration, break it down into simple pieces and troubleshoot it that way versus trying to eat the entire problem at once!

At home I typically use Linux whenever possible and feel pretty familiar working with Openssl when it comes to generating different certificates, making a certificate signing request (CSR) and what the different files mean. But when it comes to Windows boxes, I’ve generally used the certificate wizard like everyone else. Today I had an issue with moving a wildcard certificate from one windows box to another because you can’t just look in the file system to find the private key for the public key your certificate authority (CA) just finished issuing to you from the CSR you built previously.

So, for some time now I’ve worked w/ HTTPS and SSL and have had no real issues. Today however, I finally got a chance to put multiple SSL sites on one IIS 6.0 server which wasn’t very intuitive. HTTPS is funny in that the host header data that a web server needs to have access to is encrypted and can’t be used until it’s decrypted. Course for it to decrypt the packet, it must know which certificate to use and very quickly we’ve got a circular issue. Long story short, web servers CAN host multiple SSL websites so long as the sites are variations of <something>.example.com and you use an apporpriate wild card certificate that will cover all the different sites on your HTTPS web server (such as an SSL certificate issued to *.example.com to cover all of the variations of <something>.example.com.) Ya, I know, confusing.

So while I was applying my craft to a Windows Server 2003 R2 box running IIS 6.0 I quickly encountered an error when I tried to put another website on port 443. Error was, “Cannot register the URL prefix https://*:443/ for site ‘<your site identifier here>’. The necessary network binding may already be in use. The site has been deactivated.” I believe it was event ID 1007 in the event viewer system logs. God I love logs

Quick search on Google reveals you’ve got to go command-line for this one by executing cscript.exe like so: